git.stella-ops.org/docs/modules/policy/samples/policy-determinism-fixtures.json

{
  "$schema": "https://stellaops.org/schemas/policy/determinism-fixture-v1.json",
  "version": "1.0.0",
  "description": "Determinism fixtures for Policy Engine scoring and decision APIs",
  "fixtures": [
    {
      "fixture_id": "DET-001",
      "name": "Basic Scoring Determinism",
      "description": "Verify that scoring produces identical output for identical input",
      "input": {
        "finding_id": "CVE-2024-0001",
        "tenant_id": "default",
        "profile_id": "risk-profile-001",
        "signals": {
          "cvss_base": 7.5,
          "exploitability": 2.8,
          "impact": 5.9
        }
      },
      "expected_output": {
        "severity": "high",
        "raw_score": 7.5,
        "signal_order": ["cvss_base", "exploitability", "impact"],
        "assertions": [
          "signal_contributions keys are alphabetically ordered",
          "scored_at is from context, not wall clock"
        ]
      }
    },
    {
      "fixture_id": "DET-002",
      "name": "Multi-Finding Ordering",
      "description": "Verify that multiple findings are returned in stable order",
      "input": {
        "findings": [
          {"finding_id": "CVE-2024-0003", "cvss_base": 5.0},
          {"finding_id": "CVE-2024-0001", "cvss_base": 9.8},
          {"finding_id": "CVE-2024-0002", "cvss_base": 7.5}
        ]
      },
      "expected_output": {
        "finding_order": ["CVE-2024-0001", "CVE-2024-0002", "CVE-2024-0003"],
        "assertions": [
          "findings sorted alphabetically by finding_id",
          "order is stable across multiple runs"
        ]
      }
    },
    {
      "fixture_id": "DET-003",
      "name": "Decision Summary Ordering",
      "description": "Verify severity counts are in canonical order",
      "input": {
        "decisions": [
          {"severity": "low", "count": 5},
          {"severity": "critical", "count": 1},
          {"severity": "medium", "count": 3},
          {"severity": "high", "count": 2}
        ]
      },
      "expected_output": {
        "severity_order": ["critical", "high", "medium", "low", "info"],
        "assertions": [
          "severity_counts keys follow canonical order",
          "missing severities are either omitted or zero-filled consistently"
        ]
      }
    },
    {
      "fixture_id": "DET-004",
      "name": "Deprecated Field Absence (v2.0)",
      "description": "Verify deprecated fields are not present in v2.0 output",
      "input": {
        "finding_id": "CVE-2024-0001",
        "cvss_base": 7.5,
        "version": "2.0"
      },
      "expected_output": {
        "absent_fields": [
          "normalized_score",
          "top_severity_sources",
          "source_rank"
        ],
        "present_fields": [
          "severity",
          "raw_score",
          "trust_weights"
        ],
        "assertions": [
          "normalized_score is not serialized",
          "trust_weights replaces top_severity_sources"
        ]
      }
    },
    {
      "fixture_id": "DET-005",
      "name": "Legacy Compatibility Mode (v1.5)",
      "description": "Verify deprecated fields are present when legacy mode enabled",
      "input": {
        "finding_id": "CVE-2024-0001",
        "cvss_base": 7.5,
        "options": {
          "include_legacy_normalized_score": true
        }
      },
      "expected_output": {
        "present_fields": [
          "normalized_score",
          "severity",
          "raw_score"
        ],
        "assertions": [
          "normalized_score is present for backwards compatibility",
          "severity is canonical (high, not HIGH)"
        ]
      }
    },
    {
      "fixture_id": "DET-006",
      "name": "Signal Contribution Ordering",
      "description": "Verify signal contributions maintain stable key order",
      "input": {
        "signals": {
          "zeta_factor": 0.5,
          "alpha_score": 1.0,
          "beta_weight": 0.75
        }
      },
      "expected_output": {
        "contribution_order": ["alpha_score", "beta_weight", "zeta_factor"],
        "assertions": [
          "signal_contributions keys are alphabetically sorted",
          "contribution values are deterministic decimals"
        ]
      }
    },
    {
      "fixture_id": "DET-007",
      "name": "Timestamp Determinism",
      "description": "Verify timestamps come from context, not wall clock",
      "input": {
        "finding_id": "CVE-2024-0001",
        "context": {
          "evaluation_time": "2025-12-06T10:00:00Z"
        }
      },
      "expected_output": {
        "scored_at": "2025-12-06T10:00:00Z",
        "assertions": [
          "scored_at matches context.evaluation_time exactly",
          "no random GUIDs in output"
        ]
      }
    }
  ],
  "test_requirements": {
    "snapshot_equality": "Identical inputs must produce byte-for-byte identical JSON",
    "cross_environment": "Output must match across CI, local, and production",
    "ordering_stability": "Collection order must be deterministic and documented"
  },
  "migration_notes": {
    "v1.5": "Enable legacy mode with include_legacy_normalized_score for backwards compatibility",
    "v2.0": "Remove all deprecated fields, trust_weights replaces source ranking"
  }
}